Bug 152821 - CAN-2004-0891 gaim MSN protocol buffer overflow.
CAN-2004-0891 gaim MSN protocol buffer overflow.
Status: CLOSED CURRENTRELEASE
Product: Fedora Legacy
Classification: Retired
Component: Package request (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Fedora Legacy Bugs
http://rhn.redhat.com/errata/RHSA-200...
1, LEGACY, rh73, rh90
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-10-21 14:21 EDT by Marc Deslauriers
Modified: 2008-05-01 11:38 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description David Lawrence 2005-03-30 18:28:39 EST
Buffer overflow when receiving unexpected sequence of MSNSLP messages
Affected code: src/protocols/msn/slplink.c memcpy was used without
checking the size of the buffer before copying to it.  Additionally, a
logic flaw was causing the wrong buffer to be used as the destination
for the copy under certain circumstances.

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=135679
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=135678
http://rhn.redhat.com/errata/RHSA-2004-604.html



------- Additional Comments From ckelley@ibnads.com 2004-10-22 08:02:51 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
df990e14e187709606684709a605270e6d64d324  7.3/gaim-1.0.2-0.73.0.legacy.i386.rpm
c24f098f27cd6d4b8a92eb9cc5b83d82b45d5061  7.3/gaim-1.0.2-0.73.0.legacy.src.rpm
f916b84e986996d765f6c2d12bab4205f0cfef84  9/gaim-1.0.2-0.90.0.legacy.i386.rpm
d51ce6674287aeb6a885da57dcbb94947350a541  9/gaim-1.0.2-0.90.0.legacy.src.rpm
95e6a70277526a085f980be960d7b1e400085728  fc1/gaim-1.0.2-0.FC1.0.legacy.i386.rpm
eaa8317f4e738fd8d98e1f2ac3435a085d7b76df  fc1/gaim-1.0.2-0.FC1.0.legacy.src.rpm
 
7.3  -  http://www.ibnads.com/fedora_legacy/gaim/7.3/
9    -  http://www.ibnads.com/fedora_legacy/gaim/9/
FC1  -  http://www.ibnads.com/fedora_legacy/gaim/fc1/
 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
 
iD8DBQFBeUrfyQ+yTHz+jJkRAjs5AJ9Z06oLEei6Jo7YM7szPJ6Lbm0XEgCfRoTd
2fqx7s3j62receHP/xnFWK4=
=fjcI
-----END PGP SIGNATURE-----




------- Additional Comments From rob.myers@gtri.gatech.edu 2004-10-22 12:13:45 ----

looks like gaim has historically been updated packages rather than backports, so
going to 1.0.2 on all platforms seems to be a valid solution...

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
                                                                               
                                                                             
i did QA on craig's RedHat 7.3 package:
c24f098f27cd6d4b8a92eb9cc5b83d82b45d5061  gaim-1.0.2-0.73.0.legacy.src.rpm
                                                                               
                                                                             
sha1sum ok
source files ok (verified upstream)
spec file ok
patches n/a
builds ok
no rh9 box to install or run on
                                                                               
                                                                             
+PUBLISH
                                                                               
                                                                             
i did QA on craig's RedHat 9 package:
d51ce6674287aeb6a885da57dcbb94947350a541  gaim-1.0.2-0.90.0.legacy.src.rpm
                                                                               
                                                                             
sha1sum ok
source files ok (verified upstream)
spec file ok, but some perl and manpath changes from 0.82.1-0.90.3.legacy ?
patches n/a
builds ok
no rh9 box to install or run on
 
+PUBLISH
 
i did QA on craig's FC1 package:
eaa8317f4e738fd8d98e1f2ac3435a085d7b76df  gaim-1.0.2-0.FC1.0.legacy.src.rpm
 
sha1sum ok
source files ok (verified upstream)
spec file ok, but missing gcc-c++ as buildrequire
patches n/a
builds ok after adding missing gcc-c++ buildrequire
installs ok
runs ok
 
+PUBLISH
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
 
iD8DBQFBeYVvtU2XAt1OWnsRAjtcAKDZ0KchvHD18fCh1mDgs/UyEIAMoACeIw6S
hNUOQnc+ejzBfXeLgVb5I84=
=VCx+
-----END PGP SIGNATURE-----





------- Additional Comments From ckelley@ibnads.com 2004-10-25 05:49:52 ----

From comment #2

> spec file ok, but some perl and manpath changes from 0.82.1-0.90.3.legacy ?

Redhat disabled perl support in gaim; but if you build it on box with
perl installed, it tries to include the modules.  Probably won't happen in
mach; but i had to remove the files after the build, if they existed.  Also,
for some reason, gaim installs its manpage in /usr/man, instead of /usr/share




------- Additional Comments From dom@earth.li 2004-10-27 06:17:26 ----

gcc-c++ is taken as an assume basic dependency and will be included in our mach
already.



------- Additional Comments From marcdeslauriers@videotron.ca 2004-12-05 09:52:33 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I did QA on the following packages:

c24f098f27cd6d4b8a92eb9cc5b83d82b45d5061  7.3/gaim-1.0.2-0.73.0.legacy.src.rpm
d51ce6674287aeb6a885da57dcbb94947350a541  9/gaim-1.0.2-0.90.0.legacy.src.rpm
eaa8317f4e738fd8d98e1f2ac3435a085d7b76df  fc1/gaim-1.0.2-0.FC1.0.legacy.src.rpm

7.3:
- - Source files match previous release/upstream
- - Spec file changes are good
- - Builds, installs and runs OK

+PUBLISH

9:
- - Source files match previous release/upstream
- - Spec file changes look OK and make sense
- - Builds, installs and runs OK

+PUBLISH

fc1:
- - Source files match previous release/upstream
- - Spec file changes are good
- - Builds, installs and runs OK

FC2 gaim has a patch that disables Gnome autodetection
in order for the browser selection properties page to
always show up. In this FC1 build, it always uses
gnome-open as default. I guess it is OK though, as I
can't find a reason why gnome-open isn't good.

+PUBLISH


My only comment is we need to change release numbers.
gaim-1.0.2-0.73.0.legacy is newer than gaim-1.0.2-0.FC2

I suggest:

gaim-1.0.2-0.FC0.73.0.legacy
gaim-1.0.2-0.FC0.90.0.legacy
gaim-1.0.2-0.FC1.0.legacy

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFBs2coLMAs/0C4zNoRAq/lAJ4lf2Q91kATrpiSNLzj7773fSqrUACgqxG5
ZjiUZvMtX6u5u6QFLgaDR98=
=nlwL
-----END PGP SIGNATURE-----




------- Additional Comments From marcdeslauriers@videotron.ca 2004-12-15 16:16:55 ----

Packages were pushed to updates-testing



------- Additional Comments From deisenst@gtw.net 2004-12-18 03:56:52 ----

Created an attachment (id=947)
Diff between updates-testing & locally-built PERL modules

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Verifying the Fedora Core 1 package gaim-1.0.2-0.FC1.0.legacy.i386.rpm 
in updates-testing,

http://download.fedoralegacy.org/fedora/1/updates-testing/i386/gaim-1.0.2-0.FC1.0.legacy.i386.rpm


78e9993c468e49abf30779c99a9436046fcce426  gaim-1.0.2-0.FC1.0.legacy.i386.rpm 

  *  rpm --checksig gaim-1.0.2-0.FC1.0.legacy.i386.rpm
     gaim-1.0.2-0.FC1.0.legacy.i386.rpm: (sha1) dsa sha1 md5 gpg OK
  *  sha1sum OK
  *  Did an rpm-build-compare.sh of this binary rpm compared to one I built 
     from sources.  Apparently, jane's mach environment has a slightly older
     version of perl installed for FC1 than the most recent perl-5.8.3-16
     binary package. Enclosing a subset of the differences listing as an
     attachment.
  *  Package installs fine.
  *  Works good for me.  Can get on AIM, MSN and Yahoo at the same time.  OK

Am going to assume that PERL is upward-compatible, so that vendor_perl packages

installed on a PERL 5.8.1 system will still work when 5.8.3 is installed.  So--


    I vote VERIFY+

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFBxDdXxou1V/j9XZwRAlu0AKD7TjoYDqWP/vhakqSyIXBNDWn5IwCcDLUr
mr1xBU57X8ryiYFArui9/XY=
=PA2U
-----END PGP SIGNATURE-----




------- Additional Comments From deisenst@gtw.net 2004-12-18 04:12:34 ----

Created an attachment (id=948)
My GPG-signed verify message

Looks like comment 7 doesn't PGP verify, so it is enclosed.
Hopefully this one will verify ok.   -David



------- Additional Comments From sheltren@cs.ucsb.edu 2005-01-13 07:25:31 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Verify for RH9 package:
4b1ebfc27b5b05868f5737064f16711d72904565  gaim-1.0.2-0.FC0.90.0.legacy.i386.rpm

Signature is OK
Package installs OK
gaim runs OK - connected to yahoo network, changed preferences, etc.  Everything
seems to work fine.

RH9 VERIFY++
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)

iD8DBQFB5q7wKe7MLJjUbNMRAtIxAKCS114MKB3QW4/S22lPWMJaLMyIXwCeMyHY
fLaqWBncMl7XDl0IBh2H9VY=
=F6wv
-----END PGP SIGNATURE-----



------- Additional Comments From mschout@gkg.net 2005-02-05 13:50:00 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Verify for Redhat 7.3:

* 3295c64f815276248dde65bdf2ed060b  gaim-1.0.2-0.FC0.73.0.legacy.i386.rpm
* # rpm --checksig gaim-1.0.2-0.FC0.73.0.legacy.i386.rpm:
  gaim-1.0.2-0.FC0.73.0.legacy.i386.rpm: md5 gpg OK
* package installs fine
* package appears to work correctly.  Can connect to AIM network
  and send/receive messages normally.

+VERIFY
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFCBVuB+CqvSzp9LOwRAsahAJ9An+aRizRjth4Ucd48nV0KieN2fgCgmwaI
m5b7Y/D/PVOrZu4obujY480=
=JI2f
-----END PGP SIGNATURE-----




------- Additional Comments From marcdeslauriers@videotron.ca 2005-02-10 13:04:49 ----

Packages were officially released.



------- Bug moved to this database by dkl@redhat.com 2005-03-30 18:28 -------

This bug previously known as bug 2188 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=2188
Originally filed under the Fedora Legacy product and Package request component.

Attachments:
Diff between updates-testing & locally-built PERL modules
https://bugzilla.fedora.us/attachment.cgi?action=view&id=947
My GPG-signed verify message
https://bugzilla.fedora.us/attachment.cgi?action=view&id=948

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.


Note You need to log in before you can comment on or make changes to this bug.